Attribute-based Authenticated Key Exchange

Attribute-based Authenticated Key Exchange

M. Choudary Gorantla, Colin Boyd, and Juan Manuel Gonz´alez Nieto Information Security Institute, Faculty of IT, Queensland University of Technology

GPO Box 2434, Brisbane, QLD 4001, Australia.

Email: [email protected],{c.boyd,j.gonzaleznieto}@qut.edu.au

Abstract. We introduce the concept of attribute-based authenticated key exchange (AB-AKE) within the framework of ciphertext policy attribute-based systems. A notion of AKE-security for AB-AKE is presented based on the security models for group key exchange protocols and also taking into account the security requirements generally considered in the ciphertext policy attribute-based setting. We also extend the paradigm of hybrid encryption to the ciphertext policy attribute-based encryption schemes. A new primitive called encapsulation policy attribute-based key encapsulation mechanism (EP-AB-KEM) is introduced and a notion of chosen ciphertext security is defined for EP-AB-KEMs. We propose an EP-AB-KEM from an existing attribute-based encryption scheme and show that it achieves chosen ciphertext security in the generic group and random oracle models.

We present a generic one-round AB-AKE protocol that satisfies our AKE-security notion. The protocol is generically constructed from any EP-AB-KEM that satisfies chosen ciphertext security. Instantiating the generic AB-AKE protocol with our EP-AB-KEM will result in a concrete one-round AB-AKE protocol also secure in the generic group and random oracle models.

Keywords. Attribute-based Key Exchange, Attribute-based KEM, Group Key Exchange

1 Introduction

In a distributed collaborative system, it is often convenient for the members to communicate with the others in the system using attributes that describe their roles or responsibilities. These attributes are highly desirable if the members join/leave the system dynamically. Consider an Internet forum where the members are organized into user groups based on the members’ skills or privileges. It is a natural requirement that the members of a user group should be able to establish secure communication with the other members belonging to particular user groups. The communication in these forums is generally carried out through initiating a thread or by posting messages within an existing thread. To enable authentic and confidential communication, the forum administrator may specify an access policy with the user groups being attributes. Obviously, only the members of the forum whose attributes (e.g. membership to user groups) satisfy the policy should be able to have read and/or write access to the thread.

In the above scenario, the members do not necessarily have to know the identity of the other members with whom they want to communicate. In fact, the administrator may be requested not to disclose the identity of a member to the others for privacy reasons. Any member whose attributes satisfy the policy specified by the administrator should be able to participate in the communication. Note that the communication can naturally be among a group of more than two members, since the defined policy may be satisfied by attributes of more than two members. Hence, an authenticated group key exchange protocol that facilitates attributes usage can be employed in this setting. We call such a protocol, an attribute-based authenticated key exchange (AB-AKE) protocol. Once a session key among the willing participants has been established via the key exchange protocol, it can be used for establishing secure communication among the participants.

?

We can further envisage applications for AB-AKE in interactive chat rooms and also in or-ganizations with strict hierarchy like the military. In interactive chat rooms, each room may be associated with a policy defined with a set of interests being the attributes. Any member whose interests satisfy the policy of a chat room can have read and/or write access to it. Similarly, a policy over ranks (e.g., Sergeant, Lieutenant, Major, Colonel etc.) as attributes can be specified for the units in the military by another unit at a higher level in the hierarchy. All the units whose attributes satisfy the policy can establish secure communication among themselves through an AB-AKE protocol.

Attribute-based Encryption. Sahai and Waters [29] introduced the concept of attribute

based encryption (ABE) as an extension to ID-based encryption [7], in which a set of descrip-tive attributes is regarded as an identity. Goyal et al. [22] further extended the idea of ABE and introduced two variants: key policy attribute based encryption (KP-ABE) and ciphertext policy attribute based encryption (CP-ABE). In a KP-ABE system, the private key of a party is associ-ated with an access policy defined over a set of attributes while the ciphertext is associassoci-ated with a set of attributes. A ciphertext can be decrypted by a party if the attributes associated with the ciphertext satisfy the policy associated the user’s private key. A CP-ABE system can be seen as a complementary form to KP-ABE system, wherein the private key is associated with a set of attributes, while a policy defined over a set of attributes is attached to the ciphertext. A ciphertext can be decrypted by a party if the attributes associated with its private key satisfy the ciphertext’s policy.

1.1 Contributions

In this paper, we introduce the concept of AB-AKE. We assume that each member willing to participate in an AB-AKE protocol is issued a private key for a set of attributes that he/she possesses. Our modelling of AB-AKE follows the framework of CP-ABE in that the attributes are associated with the private keys. We assume that the members are given an access policy which their attributes have to satisfy for them to participate in the protocol. Alternatively, a common policy may be negotiated by the group members themselves. The protocol takes the access policy as input and computes messages for the other parties. Similar to the CP-ABE systems, we may assume that the policy is attached to the protocol messages in an AB-AKE protocol, although this assumption is not necessary since each member knows the policy at the outset of the protocol. A member whose attributes satisfy the given policy can compute the session key from the incoming messages and (if exists) its own contribution.

While a complementary flavour of AB-AKE can be conceptualized based on KP-ABE systems, we do not explore this direction in this work. For the type of applications that we have discussed earlier, AB-AKE protocols based on CP-ABE systems suit well. AB-AKE can be seen as an ex-tension of group key exchange (GKE) [11, 26, 25] with the additional expressiveness provided by the ciphertext-policy attribute-based systems. We define a notion of authenticated key exchange security (AKE-security) for AB-AKE by adapting a corresponding notion for GKE to the attribute-based setting. The property of collusion resistance considered by attribute-attribute-based systems [22, 4, 32] is naturally embedded into our AKE-security notion.

define a notion of chosen ciphertext security for EP-AB-KEM based on a corresponding notion considered for CP-ABE schemes.

Our AB-AKE protocol is generic in the sense that it can be instantiated using any EP-AB-KEM that satisfies chosen ciphertext security. We propose a chosen-ciphertext secure EP-AB-KEM based on the CP-ABE scheme of Bethencourtet al.[4] and using the generic technique of Bonehet al.[9]. While we apply the technique of Boneh et al.to the chosen plaintext secure EP-AB-KEM implicit in Bethencourtet al.’s scheme, we also make some non-trivial changes to adapt it to the attribute-based setting. The proposed EP-AB-KEM is then proven secure in the generic group and random oracle models. Incidentally, we are the first to model and construct EP-AB-KEMs, which are of independent interest.

Finally, an AB-AKE protocol satisfying our AKE-security provides implicit authentication that is similar to the corresponding notion considered for normal key exchange protocols. Particularly, our AKE-security notion ensures each protocol participant that no other party apart from par-ties who satisfy the given policy can possibly learn the value of the session key. Note that an EP-AB-KEM cannot achieve this property since it does not provide any sender authentication. Consequently, the receivers in EP-AB-KEM whose attributes satisfy the policy have no way of knowing whether the sender actually satisfies the same policy or not. For example, if we use an EP-AB-KEM in a user group, any one can post a message that is encrypted with the symmetric of the EP-AB-KEM. Alternatively, if the message is encrypted with a session key derived from an AB-AKE protocol the readers will get the assurance that only someone with valid attribute set has posted the message.

Our generic construction of AB-AKE can be seen as an extension of the protocols of Boyd et al.[10] and Gorantlaet al. [19] to the attribute-based setting. One disadvantage of our protocol is that it cannot provide forward secrecy. However, for some of the applications that we have discussed, forward secrecy may not be necessary. For example, in an Internet forum the administrator may like to moderate the content posted in the user groups or in the military a unit at a higher rank would like to monitor the communication among the units at the same or a lower rank. In such scenarios, an AB-AKE protocol without forward secrecy will be useful since any party with the right attribute set will be able to recover the session key and consequently the messages encrypted with it. Nevertheless, forward secrecy is generally a highly desirable property for key exchange protocols. Hence, we also sketch constructions of AB-AKE protocols that can achieve forward secrecy.

1.2 Related Work

secret handshakes. Finally, the fuzzy secret handshake protocol of Ateniese et al. considers only two party setting, while our protocol naturally operates in a group setting.

In independent work, Steinwandt and Corona [31] proposed a two-round attribute-based group key exchange protocol that achieves forward secrecy. Their protocol uses the GKE protocol of Bohli

et al. [6] as the base protocol and replaces the public key signature scheme in Bohliet al. with an attribute-based signcryption scheme to authenticate the protocol messages. Recently, Birkett and Stebila [5] introduced the concept of predicate-based key exchange which encompasses key policy attribute-based key exchange. However, their security model considers key exchange between only two parties.

1.3 Organization

Section 2 presents a security model for EP-AB-KEM and also proposes a chosen ciphertext secure EP-AB-KEM. We first define a security model for AB-AKE in Section 3 and then present a generic one round AB-AKE protocol based on EP-AB-KEM. In Appendix 5, we outline how to construct AB-AKE protocols with forward secrecy. Appendices A, B and C contain preliminaries, proof of the proposed EP-AB-KEM and proof of the generic AB-AKE protocol respectively. We describe the hybrid CP-ABE construction and prove its security in Appendix D.

2 Encapsulation Policy Attribute-based KEM

We first give a formal definition of security for EP-AB-KEM. As in the earlier attribute-based systems [22, 4], we review the definition of an access structure and use it in the security model. Later, we present a concrete EP-AB-KEM based on the CP-ABE scheme of Bethencourtet al.[4].

Definition 1 (Access Structure [2]). Let {U1,· · · , Un} be a set of parties. A collection A ⊆

2{U1,···,Un} _{is monotone if∀B, C : if B ∈}

A and B ⊆C then C ∈A. An access structure

(respec-tively, monotone access structure) is a collection (respec(respec-tively, monotone collection)Aof non-empty

subsets of {U1,· · ·, Un}, i.e., A ⊆ 2{U1,···,Un}_{\ {φ}. The sets in A are called authorized sets, and}

the sets not inA are called the unauthorized sets.

In our EP-AB-KEM and later in the protocol, each party is assumed to possess a set of at-tributes. A policy over a set of attributes is specified through an access structure A. Hence, A

contains the authorized sets of attributes i.e., A ⊆ 2{S1,···,Sn}\ {φ} for a given set of attributes

{S1,· · ·, Sn}. As in the CP-ABE of Bethencourt et al., we consider only monotonic access struc-tures. In the rest of the paper, by an access structure we mean a monotonic one.

A EP-AB-KEM consists of five polynomial-time algorithms:

Setup: takes the security parameter k and the attribute universe description U as inputs. The

public parameters PK and the master keyMK are the outputs.

Encapsulation: takes as input the public parameters PK and an access structure A over the

at-tribute universeU. It outputs an encapsulationC and a symmetric keyK such that only a user

with attributes satisfyingAcan recoverK fromC. Similar to the CP-ABE schemes, we assume

that the encapsulation implicitly contains A.

KeyGen: takes as input the master key MK, the public parameters PK and a set of attributes S

of a user that give a description of the user’s private key. The output is the user’s private key

Decapsulation: takes as input the public parameters PK, an encapsulation C which contains an access structure Aand a private key SK corresponding to a set of attributesS. The algorithm

outputs either a symmetric key K or⊥.

We also define an optional delegation algorithm, which allows a user with attribute sets S and a corresponding secret key SK to derive a secret key for another set of attributes ˜S such that

˜

S ⊆S.

Delegate: takes as input the public parameters PK, a secret key SK corresponding to a set of

attributes S and a set ˜S ⊆S. It outputs a secret key ˜SK for the attribute set ˜S.

For an EP-AB-KEM to be considered valid, it is required that for any keySK corresponding to an attribute setS, ifSsatisfiesAand if (K, C)←Encapsulation(PK,A), thenDecapsulation(PK, C,SK) = K.

2.1 Security Model

Bethencourt et al.[4] defined a notion of indistinguishability under chosen plaintext attack (IND-CPA) for CP-ABE schemes. In this section, we adapt their notion and extend it to define a notion of indistinguishability under chosen ciphertext attacks (IND-CCA) for EP-AB-KEM. The security notion is formally defined as follows.

Definition 2. An EP-AB-KEM is IND-CCA secure if the advantage of any probabilistic polynomial time adversary Acca _{in the following game is negligible in the security parameter k.}

Setup:The challenger runs theSetup algorithm and returns PK toAcca_.

Phase 1: Acca _{issuesExtract and Decapqueries as follows:}

Extract: This query can be issued multiple times with sets of attributes S1,· · · , Sq1 as input.

The challenger returns a private key corresponding to each input attribute set. We do not require the input attribute sets to be distinct.

Decap: This query is issued with an encapsulation C and an attribute set S as inputs. Note

thatC implicitly contains an access structure Adefined over the attribute universeU. The

challenger executes the Decapsulationalgorithm on C using a private key corresponding to

S and returns the output of DecapsulationtoAcca_.

Challenge: At the end of Phase 1, Acca _{gives an access structure}

A∗ defined over U to the

challenger. The challenger first chooses a bit b. It then runs the Encapsulation algorithm with

A∗ as input and generates a symmetric key–encapsulation pair (K1, C∗). It then setsK0 to be a

random key drawn from the probability distribution of the symmetric key. The tuple (Kb, C∗) is returned toAcca _{as the challenge. A trivial restriction on the adversary’s choice of}

A∗ is that

none of the attributes sets S1,· · · , Sq1 passed as input to Extract queries in Phase 1 should

satisfyA∗.

Phase 2:Acca_{is allowed to execute in the same way as inPhase 1with the following restrictions:}

(1) none of the attribute setsSq1+1,· · · , Sqpassed as input toExtractqueries inPhase 2satisfy

A∗ and (2) aDecapquery withC∗ as input in combination with an attribute setS∗ that satisfies A∗ is not allowed.

Guess: The goal of Acca _{is to guess whether the key K}

b is encapsulated within C∗ or not. Acca finally outputs a guess bit b0. It wins the game if b0 = b. The advantage of Acca _{is given as}

Existing security notions for CP-ABE schemes also consider the weaker selective model where Acca _{declares the challenge access structure}

A∗ before theSetup phase. Similarly, a corresponding

model for EP-AB-KEMs can be defined.

Similar to earlier CP-ABE schemes [4, 13, 32], we have not explicitly modelled the delegation mechanism in the security model for EP-AB-KEMs. However, we require that for a given set of attributes, a secret key output by theDelegate algorithm will have identical distribution to the one output by the KeyGen algorithm. In particular, the Decapsulation algorithm using a private key

SK should work in the same way irrespective of SK being an output of KeyGen or Delegate. Our security model for EP-AB-KEMs suffices in the presence of an adversary who may obtain delegated private keys since such queries can be simulated usingExtract queries.

Remark 1. In Definition 2, Acca _{is allowed to issue multipleExtract queries with attribute sets as}

input such that none of the individual sets Si satisfy the challenge access structure A∗. Hence,

similar to earlier definitions of attribute-based encryption schemes, our definition also takes care of collusion resistance. An EP-AB-KEM satisfying the above definition ensures that from the private keys of Si’s, Acca _{cannot construct a private key corresponding to another attribute set S}∗ _such

thatS∗ satisfiesA∗.

Hybrid CP-ABE. An EP-AB-KEM satisfying the above IND-CCA security notion can be

combined with any IND-CCA secure data encapsulation mechanism to construct an IND-CCA secure CP-ABE scheme [14, 15]. We describe the hybrid construction and prove its security in Appendix D.

2.2 A Chosen Ciphertext Secure EP-AB-KEM

Bethencourt et al. [4] first proposed a construction of a CP-ABE scheme. Their scheme was shown IND-CPA secure assuming generic group and random oracle models. Later, many CP-ABE schemes [21, 13, 32] have been proposed and shown IND-CPA secure without assuming generic group or random oracle models, but analyzed only in the selective model of security. Recently, Lewkoet al. [27] proposed a fully secure CP-ABE scheme in the standard model using composite order bilinear groups.

We now construct an IND-CCA secure EP-AB-KEM based on the CP-ABE scheme of Bethen-court et al.. The idea is to enhance the security of the IND-CPA secure EP-AB-KEM that is implicit in Bethencourt et al.’s CP-ABE scheme. For this purpose, the techniques of Fujisaki and Okamoto [18, 17] and Canetti et al. (CHK) [12] can be applied in the random oracle and standard models respectively. As remarked by Bethencourtet al., IND-CCA security for CP-ABE (and cor-respondingly for EP-AB-KEM) schemes can be achieved by a straightforward application of the Fujisaki-Okamoto technique.

model, our EP-AB-KEM will only be secure assuming generic groups and random oracles since the base CP-ABE scheme also assumes the same. Finally, we choose the scheme of Bethencourtet al.

because it is secure in the fully adaptive model (i.e., non-selective model). In Remark 3, we discuss the necessity of an EP-AB-KEM to be secure in the adaptive model for constructing AB-AKE protocols.

The IND-CCA secure scheme first generates a one-time key pair (sk,vk) for a signature scheme with the condition that the verification key is of the same length as the length of an attribute in the attribute universe U. Let A be the access structure given as input to the EP-AB-KEM. We

now construct a more restrictive access structure A0 = A AND vk and execute the CPA-secure

EP-AB-KEM underA0. The resulting encapsulation is then signed using the one-time signing key sk. The encapsulation of the CCA-secure EP-AB-KEM contains the encapsulation generated by the underlying CPA-secure EP-AB-KEM, the signature generated on it and the verification key

vk. The recipient first checks the signature using vk and then executes the CPA-secure KEM’s decapsulation algorithm under A0 to extract the symmetric key.

While the above informal description of our construction directly follows the CHK technique, the tricky part in the context of EP-AB-KEM (or CP-ABE) is to empower the recipient with a private key corresponding to the attributes that satisfy the modified access structure A0. The

recipient may already possess attributes that satisfy A. However, since the verification key vk is

one-time and chosen randomly for each execution of EP-AB-KEM, the recipient cannot be issued with a private key that can decrypt messages encrypted under A0 = A AND vk. This problem

cannot be addressed by the delegation mechanism in an EP-AB-KEM (or CP-ABE) scheme since it can be used to derive private key corresponding to an attribute setS0from the one corresponding toS only if S0⊆S. But, we have an additional attribute in the form ofvk. Note that this is not a problem in the KP-ABE system since it naturally allows a party with a private key corresponding to an access structure A to derive private keys corresponding to access structures that are more

restrictive than A.

To address the above problem, we make modifications to theSetupandEncapsulationalgorithms derived from the CP-ABE scheme of Bethencourt et al. [4]. Our EP-AB-KEM now enables a recipient with private key for attributes that satisfy A to decapsulate an encapsulation created

underA0, irrespective of the choice ofvk by the sender. As in the CP-ABE scheme of Bethencourt et al., an access structure Ais represented in the form of an access tree T.

Access Tree. LetT be a tree representing an access structure. Each interior node ofT represents a threshold gate, while each leaf node is described by an attribute. Let numx be the number of children of a nodex and let kx be its threshold value. We have 0≤kx ≤numx. A threshold gate associated to an internal node with threshold value kx outputs true if at least kx of its children outputtrue. If the threshold gate represented by an interior node is an AND gate thenkx=numx and if the gate is OR, kx = 1. The threshold value for each leaf node x is defined to be kx = 1. The parent of a nodex in the treeT is denoted by the function parent(x), while the attribute of a leaf nodex is denoted byatt(x). The children of each interior node are numbered from 1 tonumx. The function index(x) returns such a number associated with a node x. We assume that the index values are uniquely assigned in an arbitrary manner for a given access structure.

children x0 of x, T_x0(γ) is evaluated. T_x(γ) returns 1 if and only if at least k_x children ofx return

1. If xis a leaf node, T_x(γ) returns 1 if and only ifatt(x)∈γ.

LetG0 andG1be two multiplicative groups of prime orderpandgbe an arbitrary generator of

G0. Lete:G0×G0→G1 be an admissible bilinear map as defined in Section A.1. The Lagrange’s

coefficient∆i,S fori∈Zp and a setS of elements in Zp is defined as: ∆i,S =Πj∈S,j6=ix_i−−jj.

Setup(k).It chooses the groupsG0,G1and defines a bilinear mape:G0×G0 →G1. It also selects

α, β1, β2 ∈Zp such thatβ1 =6 β2,β16= 0 and β2 6= 0. The public key is

PK =

G0,G1, e, g, h1=gβ1, f1 =g1/β1, h2 =gβ2, f2=g1/β2, e(g, g)α

.

The master keyMK is (β1, β2, gα).

Encapsulation(PK,T).This algorithm generates an encapsulation and a symmetric key under the

access tree T using the public key PK. It first executes theKeyGen algorithm of the signature scheme (ref. Section A.2) and obtains a one-time key pair (sk,vk). LetAbe the access structure

represented by T. The algorithm now constructs a new access treeT0 for the access structure (AAND vk) as follows: LetR be the root node of T. The root nodeR0 of the new tree T0 is

set as the AND gate with T as its subtree and the verification key vk as a leaf node attached toR0.

The algorithm now generates a polynomial qx for each node x in the tree T0 in a top-down approach as follows: Starting from the root node R0, for each node x in the tree set the degree

dx of the polynomial associated with x to be kx−1 i.e., the degree of the polynomial is one less than the threshold value associated with the node x. The algorithm starts from the root node and first chooses a random s∈ _Zp. Then it chooses dR0 other points randomly to define

the polynomial q(R0). For any node x other than the root, it sets qx(0) = qparent(x)(index(x))

and chooses dx other points randomly to define the polynomial q(x).

Let Y be the set of leaf nodes in the subtree T rooted at R. The only other leaf node in the tree T0 is the one that describes the verification keyvk. The algorithm proceeds as follows:

1. K=e(g, g)αs. 2. C1=hs1.

3. ∀y∈Y : Cy =gqy(0), Cy0 =H(att(y))qy(0). 4. Cvk =h

qvk(0)

2 ,C

0

vk =H(vk)qvk(0).

5. LetC= (T0, C1, Cy, Cy0, Cvk, Cvk0 ),∀y∈Y. Compute a signatureσ =Sigsk(C). The final encapsulation C = (C,vk, σ).

KeyGen(MK,PK, S).It choosesr, rvk ∈Zpandrj ∈Zpfor eachj∈S. The private key is computed as:

SK = (D=g(α+r)/β1_{, E =g}r/β2_{, ∀j∈S : D}

j =gr·H(j)rj, Dj0 =grj).

Delegate(SK,PK,S˜).It takes as input a secret keySK corresponding to a set of attributesS and another set ˜S ⊆S. The key SK is of the form SK = (D, E, ∀j ∈ S :Dj, Dj0). The algorithm chooses ˜r and ˜rk∀k∈S˜. The new key for ˜S is generated as:

˜

SK = ( ˜D=Df₁r˜, E˜ =Ef₂˜r, ∀k∈S˜: ˜Dk=Dkgr˜H(k)˜rk, D˜0k=D

0

Decapsulation(SK,PK, C).Upon receiving an encapsulation C, the decryptor first parses the ac-cess tree T0_{. It then extracts the subtree T rooted at R from T}0_{. Note that this can be easily}

done since the node that describes the verification key as an attribute can be identified with the help of the verification keyvk sent in the encapsulation. The algorithm first verifies the signature

σ on C using the verification keyvk. If the verification succeeds, it proceeds as follows:

Fvk =

e(Cvk, H(vk)·gr/β2)

e(C_vk0 , h2)

= e(Cvk, g

r/β2_)·e(C

vk, H(vk))

e(C_vk0 , h2)

(1)

= e(h qvk(0)

2 , gr/β2)·e(h

qvk(0)

2 , H(vk))

e(H(vk)qvk(0), h₂)

=e(gβ2·qvk(0)_{, g}r/β2_{) =e(g, g)}rqvk(0)_.

A recursive algorithmDecryptNode(C,SK, x) that takes as inputC, a private keySK associated with a set of attributes S and a nodexfrom the subtree T is then executed as below:

If x is a leaf node, then let i=att(x). Ifi /∈S, then DecryptNode(C,SK, x) =⊥. Otherwise it is defined as follows:

DecryptNode(C,SK, x) = e_e(₍Di,Cx_D0 )

i,Cx0) =

e(gr_·H(i)ri,gqx(0)₎

e(gri,H(i)qx(0)₎ =e(g, g)

rqx(0)_.

Ifx is an interior node thenDecryptNode(C,SK, x) proceeds as follows: For all nodeszthat are children of x, the algorithmDecryptNode(C,sk, z) is called. The output is stored asFz. LetSx be an arbitrarykx-sized set of child nodeszsuch thatFz6=⊥. If no such set exists, the function returns ⊥. Otherwise, the decapsulation algorithm proceeds as follows:

Fx=

Y

z∈Sx

F∆i,S0x(0)

z , wherei=index(z), Sx0 ={index(z) :z∈Sx}

= Y

z∈Sx

(e(g, g)r·qz(0))∆i,S_x0(0)

= Y

z∈Sx

(e(g, g)r·qparent(z)(index(z))₎∆i,S0x(0)

= Y

z∈Sx

(e(g, g)r·qx(i)·∆i,Sx0(0)

= (e(g, g)r·qx(0).

Finally, the decapsulation algorithm calls the DecryptNode algorithm on the node R, which is the root of the subtree T. If T is satisfied by the attribute set S, then we have FR =

DecryptNode(C,SK, R) =e(g, g)r·qR(0). We now computeFR0 fromF_vk andF_Rusing polynomial

interpolation as follows:

FR0 =

Y

x∈{R,vk}

Fx∆index(x),{R,vk}

Let A=e(g, g)rs. The symmetric key is recovered as

e(C1, D)

A =

e(hs₁, g(α+r)β1₎

e(g, g)rs =

e(g, g)s(α+r)

e(g, g)rs =e(g, g)

αs _{=K. (2)}

Note that in Equation 1, we implicitly verify that the one-time verification key has not been replaced. Ifvk was replaced the symmetric key computed in Equation 2 would be⊥. Alternatively, the verification check can be done explicitly at the cost of an additional pairing operation. In Appendix B, we show that the proposed EP-AB-KEM is IND-CCA secure in the generic group and random oracle models.

3 Attribute-based Authenticated Key Exchange

An AB-AKE protocol consists of three polynomial-time algorithms: Setup, KeyGen and

KeyEx-change. TheSetup and KeyGen algorithms are identical to those defined for EP-AB-KEM in

Sec-tion 2. Each party in the AB-AKE protocol executes the KeyExchange algorithm which initially takes as input the master public key PK, an access structure A and a private key for a set of

attributes S. If S satisfies A, KeyExchange proceeds as per specification and may generate

out-going messages and also accept incoming messages from other parties as inputs. The output of

KeyExchangeis either a session keyκ or⊥.

Communication Model. LetU={U1,· · · , Un}be a set ofnusers. The protocol may be executed among any subset ˜U ⊆ U of size ˜n≥2. We assume that each user has a set of descriptive attributes. Let SKi be the private key corresponding to an attribute set Si of user Ui. We assume that an access structureAis given as input to all the users. Note that this Amay be specified by a higher

level protocol. Alternatively, the users can run an interactive protocol to negotiate a common access structureA. We also assume that all the users execute the protocol honestly. If a userUi wants to establish a session key with respect to an access structure A, it first checks whether its attribute

set Si satisfies A or not i.e., checks if Si ∈ A. Ui proceeds with the protocol execution only if Si satisfies A. Thus, any user Uj with attribute set Sj that satisfies A is a potential participant in

the key exchange protocol. The set of parties whose individual attributes satisfyAcan compute a

common session key.

An AB-AKE protocol π executed among ˜n≤nusers is modelled as a collection of ˜nprograms running at the ˜n parties. Each instance ofπ within a party is defined as a session and each party may have multiple such sessions running concurrently. Let πj_i be thej-th run of the protocol π at party Ui ∈U˜. Each protocol instance at a party is identified by a unique session ID. We assume that the session ID is derived during the run of the protocol. The session ID of an instance πj_i is denoted bysidj_i. An instanceπ_ij enters anaccepted state when it computes a session keyskj_i. Note that an instance may terminate without ever entering into an accepted state. The information of whether an instance has terminated with acceptance or without acceptance is assumed to be public. Note that there may be more than one party whose attributes satisfy A, hence we consider

a group setting for AB-AKE. We define partnership in AB-AKE protocol as follows: A set of ˜n

instances at ˜ndifferent parties ˜U ⊆ U are called partners if

2. the attributes of each Ui∈U˜ satisfyA.

An AB-AKE protocol is called correct if the instances at the parties in ˜U are partnered and output identical session keys in the presence of a passive adversary.

Adversarial Model. The communication network is assumed to be fully controlled by the adver-sary, which schedules and mediates the sessions among all the parties. The adversary is allowed to insert, delete or modify the protocol messages. We also assume that it is the adversary that may select the protocol participants from the setU. While the adversary may not know the attribute set that a user possesses, it can initiate an instance of the AB-AKE protocol with an access structure of its choice. In addition to controlling the message transmission, the adversary is allowed to ask the following queries.

– Send(π_ij,m) sends a message m to the instance πj_i. If the message is A, the instance πij is initiated with the access structure A. Otherwise, the message is processed as per the protocol

specification. The response of π_ij to anySend query is returned to the adversary.

– RevealKey(πj_i) Ifπ_ij has accepted, the adversary is given the session keyskj_i established at π_ij.

– Corrupt(Si) This query returns a private key SKi corresponding to the attribute setSi.

– Test(π_ij)A random bitbis secretly chosen. Ifb= 1, the adversary is givenskj_i established atπ_ij. Otherwise, a random value chosen from the session key probability distribution is given. Note that aTest query is allowed only on an accepted instance.

Definition 3 (Freshness). Let A be the access structure for an instance πji. π j

i is called fresh if the following the conditions hold: (1) the instance πj_i or any of its partners has not been asked a

RevealKeyquery and (2) there has not been a Corrupt query on an inputSi such that Si satisfies

A.

Definition 4 (AKE-security). An adversary A_ake against the AKE-security notion is allowed to

make Send, RevealKey and Corrupt queries in Stage 1. A_ake makes a Test query to an instance

π_ij at the end of Stage 1 and is given a challenge key Kb as described above. It can continue asking queries in Stage 2. Finally, Aake outputs a bit b0 and wins the AKE-security game if (1)

b0 =b and (2) theTest instance π_ij remainsfresh till the end of A_ake’s execution. Let SuccAake be

the event that A_ake wins the AKE-security game. The advantage of A_ake in winning this game is

AdvAake =|2·Pr[SuccAake]−1|. A protocol is called AKE-secure ifAdvAake is negligible in the security

parameterk for any polynomial time A_ake.

Remark 2. By allowing the adversary to reveal the private keys corresponding to attribute sets which individually do not satisfy the given access structure A∗ in the test session, our definition

naturally considers collusion resistance. In other words, any number of parties whose individual attribute sets do not satisfyA∗ may collude among themselves and try to violate the AKE-security

of the protocol. An AB-AKE protocol satisfying our AKE-security notion will still remain secure against such collusion attacks.

4 A Generic One-round AB-AKE Protocol

Computation

EachUiexecutes an EP-AB-KEM on the input (PK,T) wherePK is the master public key andT is the access tree that represents an access structureA. As a result, a symmetric key and encapsulation pair (Ki, Ci) is obtained.

(Ki, Ci)←Encapsulation(PK,T).

Broadcast

EachUi broadcasts the generated encapsulationCi.

Ui→ ∗: Ci.

Key Computation

1. EachUiexecutes the decapsulation algorithm using its private keySKion each of the incoming encapsulations

Cjand obtains the symmetric keysKj, forj6=i.

Kj←Decapsulation(ski, Cj) for eachj6=i.

2. Each Ui then computes the session ID as the concatenation of all the outgoing and incoming messages exchanged i.e.sid= (C1k · · · kC˜n), where ˜nis the number of protocol participants.

3. The session keyκis then computed as

κ =fK1(sid)⊕fK2(sid)⊕ · · · ⊕fKn˜(sid)

wheref is a pseudorandom function.

Fig. 1.A Generic One-round AB-AKE Protocol

generated with the symmetric keys extracted from the incoming messages to establish a common session key. Our construction is an extension of the one-round protocols of Boyd et al. [10] and Gorantlaet al.[19] to the attribute-based setting. Figure 1 presents our generic one-round AB-AKE protocol.

At the beginning of the protocol each party is given an access structure A represented via

an access tree T. The protocol uses an EP-AB-KEM scheme (Setup, Encapsulation, KeyGen, De-capsulation). Each Ui is issued a private key SKi corresponding to the attributes set Si that it possesses. Each partyUi who has attribute setSi satisfying the access structureAruns the

Encap-sulationalgorithm and obtains a symmetric key-encapsulation pair (Ki, Ci). The parties broadcast the encapsulations to the other parties. Upon receiving the encapsulations, each party runs the De-capsulationalgorithm using the its private key on each of the incoming encapsulations and extracts the symmetric keys. The number of protocol participants ˜n can be derived based on the number of input messages received within a prescribed time period. The session key is finally computed by each party from the symmetric key that it has generated and all the symmetric keys decapsulated from the incoming encapsulations.

A pseudo-random functionf is applied to derive the session key. We assume that the symmetric key output by theDecapsulationalgorithm can be directly used as a seed for f. Otherwise, we will have to extract and then expand the randomness from the output of the Decapsulation algorithm as done by Boydet al. [10].

AdvAake ≤n˜· q2_s

|C|+qs·(˜n·AdvAprf +AdvAcca)

where n˜ is the number of parties in the protocol,qs is the number of sessionsAakeis allowed to

activate, |C| is the size of the ciphertext space,AdvAcca is the advantage of a polynomial adversary

Acca _{against the IND-CCA security of the underlying EP-AB-KEM and Adv}

Aprf is the advantage of a polynomial adversary Aprf _{against the pseudorandomness of the pseudorandom function f.}

The proof of the above theorem is given in Appendix C.

Concrete Instantiation. From the EP-AB-KEM proposed in Section 2.2, a concrete AB-AKE protocol can be directly realized. It follows from the security of the EP-AB-KEM and the generic AB-AKE protocol that the instantiated protocol is AKE-secure in the generic group and the random oracle models.

5 Extensions

The security model in Section 3 is concerned only about the basic notion of AKE-security without forward secrecy. Forward secrecy is one of the most important security properties for key exchange protocols since it limits the damage of long-term key exposure. A key exchange protocol with forward secrecy ensures that even if the long-term key of a party is exposed, all the past session keys established using that long-term key will remain uncompromised.

Forward secrecy seems to be more important in the case of AB-AKE protocols than in the case of normal public key based key exchange protocols. To see why, let us assume that the adversary obtains the private key of a user Ui who possesses a set of attributes Si. If an AB-AKE protocol does not achieve forward secrecy, then the adversary can compromise all the protocol sessions which have been established with access structures that can be satisfied by Si. Note that the party Ui does not even have to participate in any of these sessions. We now define a notion of freshness that takes forward secrecy into account.

5.1 AKE-security with Forward Secrecy

Definition 5(FS-Freshness). LetAbe the access structure for an instanceπji.π j

i is calledfs-fresh if the following the conditions hold: (1) the instance π_ij or any of its partners has not been asked a

RevealKeyqueryand(2) there has not been aCorruptquery on an inputSi beforeπj_i or its partner instances have terminated, such thatSi satisfiesA.

Definition 5 can be coupled with the security notion in Definition 4 to arrive at AKE-security notion with forward secrecy for AB-AKE protocols.

5.2 Constructing AB-AKE Protocols with Forward Secrecy

with forward secrecy, the protocol of Joux [24] can be executed in the same round with our EP-AB-KEM based protocol. The session keys in both the protocols will include the ephemeral Diffie-Hellman key components which ensure forward secrecy. However, the protocols will achieve weak forward secrecy, wherein the adversary has to remain passive during protocol execution. The security of the resulting two-party and three-party AB-AKE protocols will depend on the hardness of the computational Diffie-Hellman and bilinear Diffie-Hellman problems respectively along with the security of the underlying AB-AKE protocol (the security of the latter has been proven already).

Constructing AB-AKE protocols in the more general group setting needs more than one round. The compiler of Katz and Yung (KY) [26] turns an unauthenticated group key exchange protocol into an authenticated one. The compiler uses a public key based signature as an “authenticator” for this purpose. One may adapt the KY compiler to the attribute-based setting by replacing the normal public key based signature with an attribute-based signature [28]. The resulting compiler can then be applied to the two-round unauthenticated Burmester and Desmedt (BD) protocol [11] to achieve a three-round AB-AKE protocol with forward secrecy. Since the session key established by the BD protocol is ephemeral it achieves forward secrecy, whereas the attribute-based KY compiler provides authentication. Although the attribute-based version of the KY compiler can be constructed with necessary changes to the KY compiler, it may not be straightforward. We leave this construction for future work.

6 Conclusion

We have initiated the concept of AB-AKE in the ciphertext-policy attribute-based system. Our modelling of AB-AKE assumes that each party has a set of attributes and a corresponding private key. A policy is defined (or negotiated) for each execution of the protocol and the parties satisfying the policy can establish a common shared key by executing the protocol. In the security model for AB-AKE, we have considered only outsider adversaries. Our security model can be extended by considering insider attackers who try to impersonate other protocol participants [25].

We have also introduced the concept of EP-AB-KEM. We then proposed a one-round generic AB-AKE protocol based on IND-CCA secure EP-AB-KEMs. For concrete instantiation of this protocol, we have presented an EP-AB-KEM and shown it secure under the IND-CCA notion in the generic group and random oracle models. As a consequence, a concrete AB-AKE protocol based on this EP-AB-KEM would also be secure in the generic group and random oracle models.

References

1. Giuseppe Ateniese, Jonathan Kirsch, and Marina Blanton. Secret Handshakes with Dynamic and Fuzzy Matching. InProceedings of the Network and Distributed System Security Symposium–NDSS’07. The Internet Society, 2007. 2. Amos Beimel.Secure Schemes for Secret Sharing and Key Distribution. PhD thesis, Israel Institute of Technology,

Technion, Haifa, Israel, 1996.

3. Kamel Bentahar, Pooya Farshim, John Malone-Lee, and Nigel P. Smart. Generic constructions of identity-based and certificateless kems. J. Cryptology, 21(2):178–199, 2008.

4. John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-Policy Attribute-Based Encryption. In IEEE Symposium on Security and Privacy, pages 321–334. IEEE Computer Society, 2007.

5. James Birkett and Douglas Stebila. Predicate-Based Key Exchange. Cryptology ePrint Archive, Report 2010/082, 2010. To appear at ACISP 2010. Available athttp://eprint.iacr.org/2010/082.

7. D. Boneh and M.K. Franklin. Identity-Based Encryption from the Weil Pairing. In Advances in Cryptology– CRYPTO’01, volume 2139 ofLNCS, pages 213–229. Springer, 2001.

8. Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical Identity Based Encryption with Constant Size Cipher-text. InAdvances in Cryptology–EUROCRYPT 2005, volume 3494 ofLNCS, pages 440–456. Springer, 2005. 9. Dan Boneh, Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-Ciphertext Security from Identity-Based

Encryption. SIAM J. Comput., 36(5):1301–1328, 2007.

10. Colin Boyd, Yvonne Cliff, Juan Manuel Gonz´alez Nieto, and Kenneth G. Paterson. One-Round Key Exchange in the Standard Model. International Journal of Applied Cryptography, 1(3):181–199, 2009.

11. Mike Burmester and Yvo Desmedt. A Secure and Efficient Conference Key Distribution System (Extended Abstract). InAdvances in Cryptology–EUROCRYPT’94, pages 275–286, 1994.

12. Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-Ciphertext Security from Identity-Based Encryption. In

Advances in Cryptology–EUROCRYPT 2004, volume 3027 ofLNCS, pages 207–222. Springer, 2004.

13. Ling Cheung and Calvin Newport. Provably secure ciphertext policy ABE. InCCS ’07: Proceedings of the 14th ACM conference on Computer and communications security, pages 456–465, New York, NY, USA, 2007. ACM. 14. Ronald Cramer and Victor Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure

against Adaptive Chosen Ciphertext Attack. SIAM J. Comput., 33(1):167–226, 2004.

15. Alexander W. Dent. A Designer’s Guide to KEMs. InCryptography and Coding, 9th IMA International Confer-ence, Cirencester, volume 2898 ofLNCS, pages 133–151. Springer, 2003.

16. Alexander W. Dent. Hybrid Cryptography. Cryptology ePrint Archive, Report 2004/210, 2004.http://eprint. iacr.org/2004/210.

17. Eiichiro Fujisaki and Tatsuaki Okamoto. How to Enhance the Security of Public-Key Encryption at Minimum Cost. InPublic Key Cryptography–PKC ’99, volume 1560 ofLNCS, pages 53–68. Springer, 1999.

18. Eiichiro Fujisaki and Tatsuaki Okamoto. Secure Integration of Asymmetric and Symmetric Encryption Schemes. In Michael J. Wiener, editor, Advances in Cryptology–CRYPTO ’99, volume 1666 of LNCS, pages 537–554. Springer, 1999.

19. M. Choudary Gorantla, Colin Boyd, Juan Manuel Gonz´alez Nieto, and Mark Manulis. Generic One Round Group Key Exchange in the Standard Model. In 12th International Conference on Information Security and Cryptology–ICISC 2009. Springer, 2009.

20. M. Choudary Gorantla, Colin Boyd, and Juan Manuel Gonz´alez Nieto. On the connection between signcryption and one-pass key establishment. In Steven D. Galbraith, editor,IMA Int. Conf., volume 4887 ofLNCS, pages 277–301. Springer, 2007.

21. Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai. Bounded Ciphertext Policy Attribute Based Encryption. InAutomata, Languages and Programming, 35th International Colloquium–ICALP’08, volume 5126 ofLNCS, pages 579–591. Springer, 2008.

22. Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security–CCS’06, pages 89–98. ACM, 2006.

23. Stanislaw Jarecki and Xiaomin Liu. Private Mutual Authentication and Conditional Oblivious Transfer. In Shai Halevi, editor,Advances in Cryptology–CRYPTO’09, volume 5677 ofLNCS, pages 90–107. Springer, 2009. 24. Antoine Joux. A One Round Protocol for Tripartite Diffie-Hellman. InAlgorithmic Number Theory, 4th

Inter-national Symposium, volume 1838 ofLNCS, pages 385–394. Springer, 2000.

25. Jonathan Katz and Ji Sun Shin. Modeling insider attacks on group key-exchange protocols. InProceedings of the 12th ACM Conference on Computer and Communications Security–CCS’05, pages 180–189. ACM, 2005. 26. Jonathan Katz and Moti Yung. Scalable Protocols for Authenticated Group Key Exchange. InAdvances in

Cryptology–CRYPTO’03, volume 2729 ofLNCS, pages 110–125. Springer, 2003.

27. Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully Secure Func-tional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. Cryptology ePrint Archive, Report 2010/100, 2010. To appear at EUROCRYPT 2010. Available at http://eprint.iacr.org/ 2010/110.

28. Hemanta Maji, Manoj Prabhakaran, and Mike Rosulek. Attribute-based signatures: Achieving attribute-privacy and collusion-resistance. Cryptology ePrint Archive, Report 2008/328, 2008. http://eprint.iacr.org/2008/ 328.

29. Amit Sahai and Brent Waters. Fuzzy Identity-Based Encryption. In Ronald Cramer, editor, Advances in Cryptology–EUROCRYPT’05, volume 3494 ofLNCS, pages 457–473. Springer, 2005.

31. Rainer Steinwandt and Adriana Su´arez Corona. Attribute-based group key establishment. Unpublished manuscript.

32. Brent Waters. Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization. Cryptology ePrint Archive, Report 2008/290, 2008.http://eprint.iacr.org/.

33. R. Zippel. Probabilistic algorithms for sparse polynomials. In E.W. Ng, editor,EUROSAM, volume 72 ofLNCS, pages 216–226. Springers, 1979.

A Preliminaries

A.1 Bilinear Pairing

Let G0 and G1 be two multiplicative groups of prime order p. Let g be an arbitrary of G0. The

pairinge:G0×G0 →G1 is called an admissible bilinear map if it has the following properties:

Bilinearity:∀u, v∈G0 and a, b∈Zp, we have e(ua, vb) =e(u, v)ab.

Non-degeneracy: e(g, g)6= 1.

Computable:There exists an efficient algorithm to compute e(g, g).

A.2 Strong Existential Unforgeability

A signature scheme Σ consists of three polynomial time algorithms: SigKeyGen, Sign and Verify. The probabilistic algorithmSigKeyGengenerates a signing-verification key pair (sk,vk).Signis also a probabilistic algorithm that produces a signatureσ on an input messagem using the signing key

sk.Verifyis a deterministic algorithm that takes a tuple (m, σ,vk) as input and outputs a boolean value. Ifσ is a valid signature onm undervk,Verifyreturns 1. Otherwise 0 is returned.

A signature is said to be strongly existentially unforgeable against chosen message attacks (sUF-CMA) if there exists no probabilistic polynomial time adversaryAcma_{that has non-negligible}

success probability in the security game below:

Setup: The challenger runs the SigKeyGen algorithm to generate a key pair (sk,vk) and passes the verification key vk on to Acma_.

Sign Queries: This query is asked byAcma _{with a messagem as input. The challenger runs the} Signalgorithm with signing keysk and returns the signatureσtoAcma_.Acma_{is allowed to issue}

multipleSignqueries in an adaptive manner.

Forgery: The adversary outputs a tuple (m∗, σ∗). It wins the sUF-CMA security game if (1) σ∗

is a valid signature on the messagem∗ undervk and (2) (m∗, σ∗) has not been an output of any of the Signqueries issued earlier.

B Security Proof of EP-AB-KEM

The Generic Group Model [8] . We consider two random encodingsψ0,ψ1of the additive group

Fp i.e., injective maps ψ0, ψ1 :Fp → {0,1}m, where m >3 log(p). We write G0 ={ψ0(x)|x ∈ Fp} andG1 ={ψ1(x)|x∈Fp}. We are given oracles to compute the group operations in both the groups and also a non-degenerate bilinear mape:G0×G0 →G1. The identity elements in the groups can

be accessed by the queries ψ0(0) and ψ1(0), while the generators by ψ0(1) and ψ1(1). We denote

ψ0(1), ψ0(x) and ψ1(y) byg,gx and e(g, g)y respectively.

We are also given access to a random oracle to represent the hash function H:{0,1}∗_→ G0.

Theorem 2. Let ψ0, ψ1, G0 and G1 be defined as above. For any Acca, let q be the total

num-ber of group elements it receives from the oracles and during its interaction with the IND-CCA security game of the EP-AB-KEM. Let AdvAcma be the advantage of a polynomial time adversary

Acma _{against the sUF-CMA notion of the signature scheme Σ. We have the advantage of A}cca _as

max{AdvAcma, O(q2/p)}.

Proof. Note that in the Challenge phase of the EP-AB-KEM security game, the adversary has to distinguish between real symmetric key and a value randomly chosen from symmetric key probabil-ity distribution i.e., with respect to our scheme the adversary has to distinguish between e(g, g)αs and e(g, g)θ for a randomly chosenθ∈_Fp.

At the setup time, the simulation chooses α, β1, β2 at random from Fp. Ifβ1 =β2,β1 = 0 or

β2 = 0 the setup is aborted just as it would be in the actual construction. The public parameters

h1 =gβ1,h2 =gβ2, f1 =g 1

β_{1, f}

2 =g 1

β_{2 and e(g, g)}α _{are sent to the adversary. The answers to the} queries asked by Acca _{as part of the EP-AB-KEM security game are simulated as below:}

H-queries: The simulation maintains a list for the random oracle H with the input and response

as entries. When a query is issued to the random oracle with inputi, the simulation first checks if there is an entry for i in the list. If there exists an entry, it returns the previously returned response. Otherwise a new random value ti is chosen fromFp and the valuegti is returned. The values (ti, gti) are stored along with the input i. The queries with input vk are answered in the same way.

Extract queries: When the Acca _{makes j-th key generation query on a set of attributes S}

j, a new random valuer(j)∈_Fpand for eachi∈Sjnew random valuer(ij)∈Fpare chosen. The simulator then generates a private key corresponding toSj as in the scheme. It computesD=g(α+r

(j)_)/β 1_,

E =gr(j)/β2 _{and for eachi∈Sj, D}

i =gr

(j)

·H(i)r(ij) and D0 i =gr

(j)

i . The private key is passed onto Acca_.

Decap queries: When Acca _{asks for a decapsulation query on an input encapsulation C, the}

sim-ulation first parses the access tree T0 from C. It then extracts the verification key vk and the subtree T from T0_{. The simulation first verifies the signature on the encapsulation using vk}

and if it is valid proceeds with decapsulation as follows: It computes Fvk and Fx for each leaf node and interior node in T as specified in the decapsulation algorithm. Note that this can be performed using appropriate queries to ψ0, ψ1 and the random oracle H. Finally, FR0 is

computed and the symmetric key K recovered. Note that as in the decapsulation algorithm if

vk was replaced, the simulation would setK to⊥. Finally,K is returned.

In the Challengephase, Acca _{outputs a challenge access structure T}∗_{. Let Y}∗ _{denote the set}

shares λi =qi(0) for alli ∈Y∗ and λvk∗ =qvk∗(0) as described in the scheme. The choice ofλi’s can be perfectly simulated by choosing l random values µ1,· · · , µl uniformly at random from Fp for some valuel and then lettingλi fixed as a public linear combination ofµ1,· · ·, µl and s. Later in proof, we will think ofλi as such linear combination of these independent random variables.

Finally, the simulation chooses a random θ ∈ _Fp and constructs the challenge symmetric key and encapsulation as follows: K∗ = e(g, g)θ and C₁∗ = hs₁. For each relevant attribute i,

C_i∗ = gλi, C_i0∗ = gtiλi. For the verification key vk∗, Cvk∗ = h λvk∗

2 , Cvk0 ∗ = gtvk

∗λvk∗_{. Let C}∗ ₌

(T∗0, C∗, C_i∗, C_i0∗, Cvk∗, Cvk0 ∗). It then computes a signatureσ

∗ _{on C}∗ _{using the one-time secret key} sk∗. The encapsulation values (C∗_,vk∗_{, σ}∗_{) are sent toA}cca_.

Following the generic proof of Bonehet al.[9], we divide the proof into the following two cases:

Case 1:LetForgebe the event thatAcca_{submits a decapsulation query with input (C,vk, σ) that}

is different from the challenge encapsulation given to it but with vk =vk∗. We now show that Pr[Forge] is negligible.

With the simulation ofAcca_{’s queries as described above we now construct a forgerA}cma_against

the signature scheme. We assume that Acma _{is given the challenge verification key vk}∗ _{at the}

beginning of the experiment. As described above, the public parameters are generated and answers to Acca_{’s queries are simulated. If A}cca _{outputs a query (C,vk}∗_{, σ) even before the} Challenge phase, then F outputs (C, σ) as its forgery and stops. Let (C∗_,vk∗_{, σ}∗_{) be the}

challenge encapsulation given to Acca_{. If A}cca _{submits a valid encapsulation (C,vk}∗_{, σ) in a}

decapsulation query, as per the EP-AB-KEM security game we must have (C, σ) 6= (C∗, σ∗). In this case Acma _{submits (C, σ) as its forgery. Hence, the success probability of A}cma _{is at}

least Pr[Forge]. Since, the one-time signature scheme is assumed to be strongly unforgeable, Pr[Forge]≤AdvAcma must be negligible. Note that in this case (i.e., whenForgeoccurs), Acca’s

view would have been identical even if we had set θ=αs.

Case 2: In this case, we assume that the event Forge does not occur. We now show that de-capsulation queries with an input verification key vk 6=vk∗ does not giveAcca _{any advantage.}

Note that since we have assumed that Forgedoes not occur, a decapsulation query with input

vk =vk∗ must contain an invalid signature. For such a query Acca _{is returned ⊥. The rest of}

the proof below deals with Case 2.

When Acca _{makes a query to the group oracles, we may condition on the event that (1) A}cca

provides as input only the values it received from the simulation or intermediate values it obtained as response from the oracles and (2) there are p distinct values in the ranges of both ψ0 and ψ1.

This event happen with the overwhelming probability of 1−O(q/p2), where q is the upper bound on the number of queries that can be made during the simulation. We may even keep track of the algebraic expressions being called for from the oracles as long as “accidental collisions” do not occur. Specifically, we can think of an oracle query as being a rational function ν = η/ξ in the variables θ, α, β1, β2, s, ti’s,r(j)’s,r(ij)’s and µk’s. An accidental collision would be when for queries corresponding to any two distinct formal rational functions η/ξ 6=η0/ξ0, we have that the values ofη/ξ andη0/ξ0 coincide due to random choices of these independent variables’ values.

We now condition that no such accidental collisions occur in either G0 or G1. For any pair of

distinct queries η/ξ and η0/ξ0 within a group, a collision occurs only if the non-zero polynomial

probability that any such collision happens in our simulation is at most O(q2/p). Hence, we can condition on no such collision happening and still maintain 1−O(q2_{/p) of the probability mass.}

We now consider what the adversary’s view would have been, if we had set θ = αs. In this part ofCase 2 of the proof, subject to the above conditioning, we show that the adversary’s view would have been identically distributed. Since we are in the generic group model, where each group element’s representation is uniformly and independently chosen, the only way that adversary’s view can differ in the case θ=αsis if there are two queries ν and ν0 intoG1 such that ν6=ν0 but

ν|_θ=αs =ν0|_θ=αs. Since θ only occurs as e(g, g)θ in G1, the only dependence ν or ν0 can have on

θ is by having some additive terms of the form γθ for some constant γ. Therefore we must have

ν−ν0 =γαs−γθ for some constantγ 6= 0. We can then artificially add the queryν−ν0+γθ=γαs

to the adversary’s queries. We will now show that based on the information given to the adversary it can never construct a query fore(g, g)γαs.

ti λi λiti r(j)+tir(_ij)

r_i(j) titi0 λ_it_i0 t_it_i0λ_i0

ti(r(j)_+t

i0r(j)

i0 ) tir

(j)

i0 α+r(j) s

αs+r(j)s r(j) λiλi0 t_iλ_iλ_i0

λi0(r(j)+t_ir(j)

i ) λi0r(j)

i titi0λ_iλ_i0 t_iλi(r(j)+t_i0r(j)

i0 ) tiλir(_ij0) (r(j)+tiri(j))(r

(j0)

+ti0r(j 0₎

i0 ) (r(j)+tir(ij))r

(j0)

i0 r (j)

i r

(j0)

i0

stvk ; λvk tvkti tvktvk0 tvkλi

tvktiλi tvktvk0λ_vk0 tvk(r(j)+tiri(j)) tvkri(j)

tvkλvk tvktvk0λvkλvk0 tvkλvkti tvkλvkλi

tvktiλvkλi tvkλvk(r(j)+tir_i(j)) tvkλvkr

(j)

i r

(j) λvk Table 1.Possible query types intoG1 from the adversary

Table 1 enumerates all the possible query types into G1 by means of the bilinear map and the

group elements given to the adversary except for those that containβ1 orβ2 in every monomial as

they will not be relevant for constructing a query involving the termαs. In the table, the variablesi

andi0are possible attribute strings,jandj0are indices of secret key queries made by the adversary and vk and vk0 are the verification keys generated by KeyGen algorithm of the signature scheme. Note that all the possible queries are given in terms of λi’s, not µk’s. It can be checked that the query terms in the table can be formed by the adversary from the information available to it. In addition to the polynomials in the table, the adversary also has access to 1 andα. The adversary can query for arbitrary linear combination of these terms. We will now show that no such combination can produce a polynomial of the formγαsfor some constantγ 6= 0.

In Table 1 the only term that containsαsisαs+r(j)s, which can be formed by pairingsβ1with

α+r(j)/β1. By such queries, the adversary could create a polynomial of the formγαs+P_j∈T γjsr(j) for some setT and constantsγ, γj 6= 0. To obtain a query polynomial of the formγαsthe adversary must add other linear combinations in order to cancel the terms of the formP

j∈Tγjsr(j). From the table, the only other terms that the adversary has access to that could involve terms of the form

sr(j) are obtained by pairingr(j)+tir(ij)with some λi0 and also by pairingβ₂λ_vk withr(j)/β₂. This

is so since,λi0 and λ_vk terms are public linear combinations ofµ₁,· · ·, µ_l ands. The adversary can

γαs+X j∈T



γ_jsr(j)+ X

(i,i0_,vk)∈T

j0

λi0r(j)+λ_i0t_ir(j)

i +λvkr(j)



+ other terms.

We now complete the proof with the following case analysis that shows that any of the adver-sary’s query polynomials cannot be of the formγαs.

Case 2a:In this case, let us assume that there exists somej∈T such that the set of secret shares

Lj ={λi0, λ_vk:∃i: (i, i0,vk)∈T0

j}do not allow for reconstruction of s. If this is the case, then the term sr(j)will not be cancelled and hence the adversary’s query cannot be of the formγαs.

Case 2b: Now we assume that for all j ∈ T, the set of secret shares Lj = {λi0, λ_vk : ∃i :

(i, i0,vk)∈T_j0} do allow for the reconstruction of the secrets. Fix any j∈T. Consider the set of attributes Sj that belongs to the j-th Extract query from the adversary. By the restriction that no requested key should pass the challenge access structure and by the properties of the secret sharing scheme, the set of shares L0_j = {λi :i ∈ Sj} cannot reconstruct s. Thus, there must exist at least one share λi0 inL_j such thatλ_i0 is linearly dependent ofL0

j when written in terms of sand µ1,· · ·, µl. Thus for some i∈Sj, there must be a term of the formλi0t_ir(j)

i in the adversary’s queries. However, it is evident from Table 1 that the adversary has no access to a term of this form. Hence, none of the queries can be of the form γαs.

C Security Proof of the Generic AB-AKE Protocol

Proof. We prove the theorem in a sequence of games. Let Si be the event that Aake wins the

AKE-security game in Game i.

Game 0. This is the original AKE-security game as per Definition 4. We have

AdvAake =|2·Pr[S0]−1|. (3)

Game 1. This game is the same as the previous one except that if two different sessions at user

Ui output identical message Ci, then the game aborts. Let Repeat be such an event. As there are ˜nusers in the protocol, we have

|Pr[S0]−Pr[S1]| ≤n˜·Pr[Repeat]. (4)

As the adversary is allowed to activate at most qs number of sessions, we have

Pr[Repeat]≤ q

2

s

|C|. (5)

Game 2. This is the same as the previous game except that a value t←R [1, qs] is chosen. If the

Test query does not occur in thet-th session the game aborts and outputs a random value. Let

E2 be the event that the guess is correct.

Pr[S2] = Pr[S2|E2] Pr[E2] + Pr[S2|¬E2] Pr[¬E2] = Pr[S1]

1

qs +1

2

1− 1

qs

Game 3.This is identical to the previous game except that the output of eachfKi for 1≤i≤n˜ is replaced by a random value chosen uniformly from {0,1}k_{. We have,}

|Pr[S2]−Pr[S3]| ≤n˜·AdvAprf. (7) Game 4.This game is identical to the previous game except that the queries asked ofA_akeare now answered byAcca_{, an adversary against the IND-CCA security of the underlying EP-AB-KEM}

as follows:Acca_{forwards the public parameters that it received from its challenger toA}

ake. Note

that if we allow A_ake to choose the access structure in the Test session, A_ake chooses A∗ and

sends it toAcca _{at the beginning of theTestsession. Otherwise,A}cca _{itself may choose}

A∗. Once

A_ake chooses theTestsession,Acca _{gives the challenge access structure}

A∗ to its challenger. The

EP-AB-KEM challenger returns (Kb, C∗) toAcca as described in Definition 2. The goal ofAcca is to output whether Kb is encapsulated withinC∗ or not.Acca finally chooses a userUi∗ whose attributes S_i∗ satisfy the challenge access structure A∗. With these choices, Acca now starts

simulating answers to the queries of A_ake as below. Note that we explain only the simulation done in the test session. The queries issued in all the other sessions can be trivially answered by Acca_{, since it is allowed to extract private keys corresponding to attributes that satisfy all}

the access structures except A∗.

Send(πt_i, m): Ifmcontains only A∗, as per the protocol it has to initiate the test session atUi. If Ui =Ui∗, Acca returns the challenge encapsulationC∗ as the outgoing message from the instance π_it. Otherwise, Acca _{runs the Encapsulation algorithm on behalf of U}

i and obtains the pair (Ki, Ci). It keeps Ki with itself and returns Ci as the outgoing message.

On the other hand, if the message contains an encapsulationCi,Acca proceeds as follows: 1. If Ui = Ui∗, it issues a Decap query to its challenger with Ci and the attributes of Ui∗

as input. If the challenger returns a key Ki, Acca stores Ki and accepts the session. Otherwise, the session is rejected. Note that if Ui =Ui∗, then Ci cannot be equal to Ci∗ conditioning on the event Repeatin Game 1.

2. IfUi6=Ui∗,Acca first checks ifCi =Ci∗. If it matchesAccaaccepts the session. Otherwise, as described above it issues Decap query to its challenger withCi and the attributes of

U_i∗ as input. Note that the attributes ofU_i∗ satisfy the access structureA∗ embedded in Ci. If the challenger returns a keyKi,Acca storesKi and accepts the session. Otherwise, Acca _{rejects the session.}

RevealKey(πj_i): Note that a RevealKey query on the test session is not allowed. In all other sessionsAcca _{can answer this query by simply askingDecapquery on all the encapsulations}

exchanged in that session. Since Acca _{is also allowed to extract private keys corresponding}

to attributes that do not satisfy A∗, it can trivially answer theRevealKeyqueries of all the

sessions other than the test session.

Corrupt(Si):IfSi do not satisfyA∗, thenAcca can trivially answer this query using theExtract

query available to it as part of the IND-CCA security game of the EP-AB-KEM.

Test(πt_i): Acca _{now embeds the challenge key K}

b into the response to Aake. It computes the

challenge keyκ∗ =fK1(sid)⊕ · · · ⊕fKb(sid)⊕ · · · ⊕fKn(sid). Note that, as described in the

simulation of Send queries above, all the symmetric other than Kb are either generated by Acca _{or obtained from its challenger via Decapqueries. The key κ}∗ _{is returned to A}

ake.

Since the simulation by Acca _forA

ake is perfect without any aborts, Game 3 and Game 4 are

Let b0 be the output of A_ake. Acca _{simply passes this bit onto its challenger. This game is}

essentially A_ake playing IND-CCA security game against the EP-AB-KEM’s challenger. Acca

succeeds whenever Aake does so. Hence, the advantage of Acca is at least the same as that of

A_ake. We have

|2·Pr[S4]−1| ≤AdvAcca. (8)

From Equations 3 to 8,we have the claimed advantage for Aake.

Remark 3. From Game 4 of the above proof, it is evident that Acca _{obtains the challenge access}

structure A∗ only at the initiation of the Test session. However, Acca has to answer the queries

asked by A_ake on sessions established prior to the Test session for which Acca _{has to interact}

with its challenger. As in the selective security model for EP-AB-KEM, if Acca _{commits to an}

access structure at the start of its game, it cannot simulate answers to all the queries asked by A_ake. Hence, we need an IND-CCA secure EP-AB-KEM secure in the fully adaptive model for our generic construction of AB-AKE protocols.

D Ciphertext Policy Attribute-based Hybrid Encryption

We now extend the paradigm of hybrid encryption to CP-ABE. We show that an IND-CCA secure EP-AB-KEM when combined with any IND-CCA secure DEM will result in an IND-CCA secure CP-ABE scheme. The hybrid CP-ABE scheme will have the usual efficiency advantages that a hybrid encryption scheme has over a direct public key encryption scheme.

While our proof may seem straightforward, note that it has not previously been formally estab-lished. Combining a KEM and a DEM to achieve a secure hybrid encryption scheme is not always trivial, for example, as in the case of certificateless KEMs [3]. Moreover, Gorantla et al. [20] de-scribed a notion of security for signcryption KEMs which can be useful in establishing a relationship with key exchange protocols, but cannot be used in combination with any DEM for the purpose of hybrid signcryption. Hence, it is necessary to validate the combination of any KEM and DEM.

We show our result only for fully adaptive CCA-secure hybrid CP-ABE schemes. Our proof can be easily extended to other flavours of security i.e., notions that consider CPA-secure and/or selective-policy CP-ABE schemes.

D.1 CCA Security for CP-ABE Schemes

A CP-ABE scheme consists of four polynomial time algorithms: Setup, Encrypt,KeyGen, Decrypt. An optionalDelegate algorithm may also exist. The access structureAand the set of parties are as

defined in Section 2.

Setup(k,U) This algorithm takes the security parameter kand the attribute universe description U as inputs. The public parametersPK and the master key MK are the outputs.

Encrypt(PK, M,A) This algorithm takes as input the public parameters PK, a message M and

an access structureAover the attribute universeU. This algorithm encryptsM and produces a

ciphertext CT such that only a user that possesses a set of attributes satisfying A will be able